Schneier Fact No. 27[1] seems particularly relevant in light of the [very useful, but preaching to the choir maybe?] advice he's handing out here:
Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.
The attacker who uses your stolen password is just as likely to be trying it a year from now than he is to be trying it the moment he captures it. Maybe he's not even the person who originally stole it. A stolen password for an account whose password isn't regularly changed is a backdoor that can't be patched or detected. It's actually more valuable in some ways than a rootkit.
This isn't idle punditry. Maybe once a year, I end up on a penetration test that works its way onto internal networks or desktops, and every one of those engagements invariably has a "here's the chapter of the report where we ended the universe" because one person saved a password somewhere a year ago and never changed it.
Yes, attackers will mount active attacks, and yes, attackers will install backdoors. But they will also sweep your machine for textual passwords and then bank them.
There are classes of passwords that don't merit regular changes. Your one-off passwords for sites like Reddit (please, don't share passwords between sites) don't need changing. I'm also not religious about changing single-purpose rarely-changed Keychain-generated passwords.
So in general: you don't need to regularly change the password to your computer or online financial accounts
I think it depends on your definition of "regularly". You say once a year, and it's likely he'd agree with that. He might disagree if regularly is defined as monthly or quarterly.
> The attacker who uses your stolen password is just as likely to be trying it a year from now than he is to be trying it the moment he captures it.
Although this might sound a bit off to other readers, this actually correlates quite well with what we see in the (suddenly now sexy) APT space when a network gets 're-popped'. If the attacker has been in before they'll usually have some good intel on the Internal network structure and will often try old passwords, then potentially variants of them assuming the same lockout as when they took the configs/policies.
I can also vouch for the pen test story. It's also why I generally take last year's report with me, as it usually helps me find out what the password was. We don't usually write the password down in the report but do give subtle clues to jog the tester's memory.
I'm not sure what you mean about sweeping the machine for textual passwords. It's not uncommon to search the filesystem for files containing a current password or 'password', 'username' etc. but it's not that common in the wild as it generates a lot of i/o and can raise suspicions. The last thing you want is for the end user to ctrl-alt-del and see notepad.exe using a load of disk activity. Of course an adversary worth their salt would've migrated to a different process by then but even so, if you're wondering why is csrss.exe thrashing the drive like that, then you might have something worth investigating.
For places like reddit, I'd say sharing passwords between sites is fine as long as you're comfortable with them all being compromised. I have the same passwords for things I don't really care for as far as compromise is concern. For more important information assets I find it better to adopt a defence in depth approach than to rely on several hundred passwords alone.
What is the APT space? Guessing it has nothing to do with the advanced packaging tool. ("apt" is not very google-able, and no acronyms particularly stood out to me).
Advanced Persistent Threat - A misappropriated buzzword to describe what used to be called targeted malware attacks or in some cases Computer Network Espionage (or sometimes Exploitation).
There's a metric shedload of garbage out there, so if you want to read some more, here's some interesting links:
I'm hoping he doesn't mean "Advanced Persistant Threat" (gag), which is a marketing term invented after the Google/Aurora debacle to try to sell products and services ("APT defenses") on a "don't let this happen to you" message.
He might mean "Application Penetration Test", except that app pentests rarely pivot to internal networks and passwords (they're usually part of the software development lifecycle and are about "is this app safe to deploy").
No I do mean Advanced Persistent Threat, and the term pre-dates Aurora by a few years, it's just been misappropriated by Mandiant's marketing department and then every man and his dog has smelt money.
Traditionally we've used the term Targeted Attack or CNE (meaning Computer Network Exploitation), but people tend to ask what that is. I die a little inside when I use the APT term, but people who get it, get it, and people that listen to marketers (rightfully) act suspicious.
The attacks are real and have been going on since the 90s, but it's not as clean cut as people make out. The primary distinguishing factor is the 'P' for persistence, not necessarily the 'A'. Anyone selling on a "don't let this happen to you" message is obviously selling bunk. You're either a target or not for this stuff, and that depends on a whole load of factors. If you're not a target then your biggest similar threat is probably broad malware attacks (more associated with botnets) or unfocused criminal activity. If you're susceptible to APT, it's because you've already been hit. That's why "don't let this happen to you" doesn't work - it will happen, and it will happen again. The trick is to detect it and kick the buggers out before they cause any (qualified) damage.
You make an interesting point about App Pen Tests. I'm surprised that you say that it rarely pivots. We do all the time. We routinely face people who say Cross-Site Scripting isn't an issue, until we show them different ways of attacking their users - as opposed to the dull alert('XSSLOL');
Likewise for SQL injection I certainly find that breaking in and hunting around leads to all kinds of things you otherwise wouldn't see. If you're not trying to break in, it's not really a 'Penetration' test as much as the app equivalent of a Vulnerability Assessment.
Look, it's easy to muddy the waters here by talking about mechanized attacks by bot herders and the like, but when you're talking about people that care about passwords at all, yes, really: they're valuable and people hold on to them.
It's amazing how much of this is alleviated by something like 1Password or LastPass which I currently use. It'll generate a strong random password for me and remember it so I don't have to write it down. Changing passwords is just as easy.
Absolutely. I use 1Password myself and, as a safety measure, recently changed a bunch of my passwords at once and it was a real breeze.
Go to a site, go to the account page, asked 1Password to generate a new password, 1Password detects what's happening and asks if I want to update the login info, go to next site.
I was able to change the password for all my important accounts in a matter of minutes.
> And two, it's far more important to choose a good password for the sites that matter -- don't worry about sites you don't care about that nonetheless demand that you register and choose a password...
I actively use terrible and crappy passwords for certain sites, when I'm more worried about someone getting the password than someone getting access to my account on that site.
Actually I think that forcing users to change their passwords doesn't really improve security and it may well decrease it.
Good passwords are hard to memorize and if I'm forced to change it every few months then I can do two things: change it as little as possible (e.g add a number or a character at the end and cycle between them as allowed) or use a weak password (and maybe do the same with it).
Now if one has a lot of accounts and passwords and tries to be safe and use an app like passwordsafe then the ignorant service operators (e.g. my bank...) who force frequent password changes can turn life into a really bad experience forcing us to do password changes every few days on one system or the other (or just force the user to give up on secure passwords).
Now if someone wants to secure their system then they should use two factor authentication. Now that everybody has a mobile phone, basically everybody has a secure token. (I know that mobile phones are not that 'tamper resistant', still they are something that an attacker has to have their hands on. And you'll probably notice if you loose your phone sooner than you would notice your purse.)
> Someone committing espionage in a private network is more likely to
> be stealthy. But he's also not likely to rely on the user credential
> he guessed and stole; he's going to install backdoor access or
> create his own account. Here again, forcing network users to
> regularly change their passwords is less important than forcing
> everyone to change their passwords immediately after the spy is
> detected and removed -- you don't want him getting in again.
Most likely if a {corporate,government} spy is caught, the institution
will try to keep it under wraps as much as possible. Only telling
employees to change passwords in the event that such a thing happens is
tantamount to admitting it having happened.
If you worked for a company that never made you change your password,
and all of the sudden there was a one-time corporate directive that
everyone had to change their password, what would you think? That
somehow security had been compromised.
I thought he might finish off there at the end with key passwords, like the email account that all the change of password notifications go to.
As once that one's compromised, you've pretty much been compromised everywhere on the internet apart from maybe banks that require phone or fax steps for password changes.
I don't think it's possible to extract "much less secure" from that post (he has carefully hedged it to avoid writing anything falsifiable). The only downside he's explicitly cited is that he thinks it might cause people to pick less secure passwords.
I have a hard time buying this argument, because people pick godawful passwords anyways; the very few people who pick decent passwords are probably not derailed too much by a periodic change requirement.
And, for what it's worth: Schneier himself advocates writing passwords down.
Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.
No wonder he uses a password manager, eh?
[1] http://www.schneierfacts.com/fact/27